#!/bin/sh
# PCP QA Test No. 712
# Exercise encrypted communications between pmcd/clients
#
# Debugging notes:
#   When this fails in TLS negotiation it is very hard to debug.
#   There is special debugging magic between libpcp and libssl
#   that needs to be activated.
#   1. add -D auth,tls,desperate to /etc/pcp/pmcd/pmcd.options
#   2. run this test
#   3. start dredging through /var/log/pmcd/pmcd.log.prev (.prev will
#      be the one that was active when this test was run) ... in
#      particular look for blocks of diagnostics that begin
#      Received Record or Sent Record these are the dumps of the TLS
#      handshake messages (including the cipher negotiations and the
#      certificates)
#
# Copyright (c) 2012-2013,2022 Red Hat.
# Copyright (c) 2023 Ken McDonell.
#

seq=`basename $0`
echo "QA output created by $seq"

. ./common.secure

_check_tls

_cleanup()
{
    _restore_config $PCP_TLSCONF_PATH
    unset PCP_SECURE_SOCKETS
    _service pmcd restart 2>&1 | _filter_pcp_restart
    _wait_for_pmcd
    _restore_auto_restart pmcd
    _service pmlogger restart 2>&1 | _filter_pcp_restart
    _wait_for_pmlogger
    _restore_auto_restart pmlogger

    $sudo rm -rf $tmp.*
}

status=1	# failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15

if [ ! -f .rnd ]
then
    echo "Creating random bytes in .rnd" >>$seq_full
    openssl rand -writerand .rnd
fi

_save_config $PCP_TLSCONF_PATH
_stop_auto_restart pmcd
_stop_auto_restart pmlogger
if ! _service pmlogger stop 2>&1; then _exit 1; fi \
| _filter_pcp_stop
_wait_pmlogger_end || _exit 1
if ! _service pmcd stop 2>&1; then _exit 1; fi \
| _filter_pcp_stop
_wait_pmcd_end || _exit 1

_filter_tls()
{
    sed \
	-e 's/value [0-9][0-9]*/value NUMBER/' \
	-e '/pminfo([0-9][0-9]*)/s//pminfo(PID)/' \
	-e "s/host \"$hostname\"/host LOCALHOST/g" \
	-e 's/^\[[A-Z].. [A-Z]..  *[0-9][0-9]* ..:..:..]/[DATE]/' \
    #end
}

# real QA test starts here
_setup_tls
original=$PCP_TLSCONF_PATH
cp $original $tmp.tls.orig

if ! _service pmcd start || ! _wait_for_pmcd
then
    echo "--- cert & key files and sum by user $PCP_USER"
    for file in $tmp.tls/*
    do
	ls -l $file
	sudo -u $PCP_USER sum $file
    done
    echo "--- openssl.log from key & cert setup"
    cat $tmp.tls/openssl.log
    _exit 1
fi | _filter_pcp_start

echo
echo "checking client, generic certificate.  should pass..."
export PCP_SECURE_SOCKETS=1
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

echo
echo "checking client, no certificate verify.  should pass..." | tee -a $seq_full
export PCP_SECURE_SOCKETS=1
export PCP_TLSCONF_PATH=/dev/null
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls
export PCP_TLSCONF_PATH=$original

echo
echo "checking client, verify certificate setup.  should pass..." | tee -a $seq_full
cp $tmp.tls.orig $tmp.tls.conf
echo "tls-verify-clients = true" >> $tmp.tls.conf
$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH
export PCP_SECURE_SOCKETS=1
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

echo
echo "checking client, server certificate only.  should fail..." | tee -a $seq_full
cp $tmp.tls.orig $tmp.tls.conf
sed -i -e 's/pcp.key/server.key/g' $tmp.tls.conf
sed -i -e 's/pcp.crt/server.crt/g' $tmp.tls.conf
unset PCP_SECURE_SOCKETS
if ! _service pmcd start; then _exit 1; fi \
| _filter_pcp_start
_wait_for_pmcd || _exit 1
$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH
export PCP_TLSCONF_PATH=$original
export PCP_SECURE_SOCKETS=1
yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

# check mode where separate client/server certificates are used
#cp $tmp.tls.orig $tmp.tls.conf
#sed -i -e 's/pcp.key/server.key/g' $tmp.tls.conf
#sed -i -e 's/pcp.crt/server.crt/g' $tmp.tls.conf
#echo "tls-client-key-file = $here/tls.conf/client.key" >> $tmp.tls.conf
#echo "tls-client-cert-file = $here/tls.conf/client.crt" >> $tmp.tls.conf
#echo "tls-verify-clients = true" >> $tmp.tls.conf
#$sudo cp $tmp.tls.conf $PCP_TLSCONF_PATH

#unset PCP_SECURE_SOCKETS
#_service pmcd start | _filter_pcp_start
#_wait_for_pmcd

#echo
#echo "checking both client and server certificates.  should pass..." | tee -a $seq_full
#export PCP_SECURE_SOCKETS=1
#yes | pminfo -h $hostname -f hinv.ncpu 2>&1 | tee -a $seq_full | _filter_tls

# success, all done
status=0
exit
